Inside the subject line, there can be multiple subparts, such as CN=xxx, DC=xxxx, UID=xxx, OU=xxx, C=xxx, ... Each subpart is represented in the certificate as an OID that is globally unique and registred with IETF. For example, the OID of CN is 2.5.4.3, and the OID of UID is 0.9.2342.19200300.100.1.1. How are we supposed to find out the OID? Openssl provides a command option for just.

openssl x509 -in user-cert.pem -text -noout -nameopt RFC2253,oid

This command will print out the cert with the OID=xxx instead of CN=xxx.

December 8, 2014

Openconnect is a nice open source SSL VPN client for Cisco AnyConnect, and also for the open source SSL vpn server ocserv (hosted on the same website as openconnect). Below are some tips on how to cross compile openconnect for ARM, with GnuTLS

Openconnect works with both Openssl and GnuTLS. However, to use hardware token (smart card, etc), you will need GnuTLS.

To use hardware token, GnuTLS also depends on p11-kit (version 0.22.1) and pcsc-lite (version 1.8.11), and opensc (0.14.0), which depends on pcsc-lite.

All of these packages support autoconfig so that one can run "configure" to generate the makefile(s). We use the --prefix "/opt/ncs-install" to install all packages. Below are the customized "configure" scripts for each package:

December 4, 2014

openssl verify -untrusted intermediate-ca.pem your-cert.pemPut the list of intermediate CA (in PEM format, concatenated ) in intermediate-ca.pem, and use the "-untrusted" option. That name tricked me initially, and that's the one to use. The above command is to use the system CA list to verify the cert. If you have your own CA, just use the option "-CAfile your-ca.pem".